The CareFirst Hack: What Went Right, What Went Wrong

CareFirst BlueCross BlueShield first learned in May 2014 of malware on an information system, according to two health information security consultants. But the healthcare insurer apparently did not realize the malware was not completely eradicated -- and the system was hacked in June 2014.

This spring, as other health insurers including Anthem and Premera were announcing huge cyber attacks, CareFirst contracted with security firm Mandiant (owned by FireEye) to conduct an end-to-end examination of its IT environment and the breach was found, CareFirst acknowledged on May 20.

David Holtzman, vice president of compliance at CynergisTek, a health information consultancy, praises the insurer for taking another look at their security posture after gaining knowledge of the Anthem and Premera hacks, which included programming and processes consistent with what CareFirst noticed in the spring of 2014. But security veteran Tom Walsh, president of Tom Walsh Consulting in Overland Park, Kan., has a different take: “Eleven months later, they finally begin to realize there still are issues out there.”

The attacks on the three insurers have common themes, Holtzman and Walsh say. These breaches are different; they don’t appear to be immediately tied to employee negligence, such as being duped into providing an email address, systems credentials or other avenues to enter an information system or network, Holtzman says.

Both consultants peg “fake domains” as a prime way to get into an organization’s information network. A hacker may send an email that appears to be legitimate and includes a link that looks legitimate. The email may purportedly be from the organization’s chief financial officer or another senior executive, so it is likely to be opened. But when the recipient clicks on the link, malicious code is loaded onto the user’s computer, and that code then gets into the network.

There’s another even more diabolical trick that hackers use. Hackers in 2014 registered a number of “web domains” similar to the legitimate web addresses of multiple Blues plans. A site purporting to be WellPoint’s had the two ll’s changed to 11’s and with a small font, it isn’t easily noticed. A fake Premera website changed the “m” to “nn.” Getting tricked is just too easy, even for a security-diligent employee, Walsh says. “It only takes one employee, one click, and you’re doomed.” Further, everyone is deluged with corporate email and tries to get through it as quickly as possible, he adds.

Walsh is impressed that CareFirst is offering two years of credit and identity protective services, as cyber attacks commonly start as an initial intrusion and then the attacker waits for a year before actually using the data. Too many organizations being hacked or otherwise breached are offering only one year of protection, and that may well be a year where no activity by the holder of the data is planned, leaving affected individuals vulnerable when the second year comes.

In a way, CareFirst was very lucky as it likely was targeted for a very good reason, Holtzman says. The company is a primary insurer for the Federal Employees Health Benefits Program, but that data was on a separate network. “To me, that would have been the pot of gold that hackers would be looking for.”